Overhaul of $6B cyber program gets off to encouraging start

The General Services Administration and the Homeland Security Department’s industry day on April 17 was the beginning of the future of the Continuous Diagnostics and Mitigation (CDM) program.

The few hundred participants in-person and on the phone gathered a few more details about where the governmentwide cybersecurity program is heading over the next year.

The discussions about the new special item number (SIN) under Schedule 70, as well as the current status of the CDM program across the government, are helping to set the scene for a busy summer.

But the meeting also left some participants with more questions than answers, particularly around the process for obtaining the SIN.

Advertisement

“It was a very positive event, and it showed GSA and DHS are switching to the way CDM should’ve done in the beginning, where agencies can pick whatever products they wanted based on what they wanted to get done,” said Harold Youra, president of Alliance Solutions, which helps product vendors with business development activities. “There still are several questions around how DHS and GSA are funding this. I’m not sure they know the answer right now.”

Youra said GSA and DHS said there would be a process to obtain the SIN, but never fully described that approach.

“GSA says it will take 15 business days to process the SIN applications. But there were no details about what that application process looks like,” he said. “Also there were no details about what the cost will be to get on the SIN, and whether the system integrators will pick the products. Does that mean product vendors will have to sell to integrators? They were giving simple answers to what could be a potentially complicated process.”

GSA and DHS plan to hold another industry day for integrators in the coming weeks. The agencies didn’t say when or offer too many more details, but officials have said the changes to CDM are a two-step effort — creating the SIN and then using a governmentwide acquisition contract (GWAC) to continue the implementation of new tools and services, and to maintain the existing set of cyber products.

GSA detailed some aspects of the process in its presentation. It says DHS will evaluate the vendor information and once accepted, add to the approved product list.

Youra added it was unclear whether the application would be one page or 10 pages or how long. He said GSA said those vendors who didn’t receive approval would get feedback to fix their applications for resubmission.

“GSA said the products must prove that they can intercommunicate with each other, which was not in the original CDM contract,” he said. “If products can’t work together, then what’s the purpose of implementing those products?”

Two other interesting concepts about the CDM SIN — GSA will review submissions of new products monthly, usually around the first of the month, and it will waive the two-year requirement for a product to be in-market before coming on schedule.

Youra said the elimination of the two-year rule is a bit of a concern.

“Are GSA and DHS asking agencies to rely on products without a proven record? How are they going to ensure the product scales to the size the government needs?” he said.

GSA said it would use the FASTLane process to shorten the time to modify schedules contracts.

Nick Murray , district manager for the program capture, cloud and technology alliances for Splunk, said he’s glad to see GSA and DHS’ commitment to CDM beyond August 2018, when the current CDM contract expires.

“The new CDM SIN on IT-70 will allow federal and state and local entities to invest further in technologies that address some of the biggest pain points federal agencies are facing today,” he said. “As our industry continues to seek out new ways to address emerging cyber threats, data silos and a lack of visibility into IT systems, the new SIN will undoubtedly make it easier to embrace technologies that are rigorously vetted and sanctioned for placement on the CDM APL (Approved Product List).”

It’s no surprise GSA and DHS received a lot of interest in the next generation CDM strategy.

From the request for information it released in March, GSA says it received 52 responses.

  • 29 were large businesses
  • 23 were small firms
  • 42 are already on the IT schedule
  • 10 are not on the IT schedule
  • 44 have been in business more than five years

GSA says through the RFI vendors said topics such as network architecture framework, mobile or Internet of Things device security monitoring, micro-segmentation security and unified security intelligence are potential additions to the emerging tools and technology category.

Vendors also overwhelmingly (72 percent) said there was a need to add services to the SIN.

“There is a general consensus that the current proposed SIN description is appropriately formulated and accurately covers the government’s intent in streamlining how CDM tools are sold,” GSA stated in its presentation from industry day. “The main concerns respondents have with the proposed CDM SIN description are: excessive focus on tools designed to protect the network rather than the assets that reside on it; overly broad descriptions of the subcategories and the [15] Total Functional Areas and  ill-defined nature of Category 5 (Emerging Technology), which will increase difficulty in addressing any product requirements.”

The positive responses from industry are an important step for GSA and DHS toward improving CDM. The real test comes when they open up the SIN and are inundated with applications. That process must go smoothly or CDM’s troubles will begin anew.

Return to the Reporter’s Notebook